Method for Communicating Between a Reader and a Wireless Identification Marker, Associated Reader and Marker

ABSTRACT

A method includes transmitting a first digital channel (X 0 ) from a reader to a marker, receiving a second digital channel (Y 0 ) corresponding to the first digital channel and to errors introduced by a noisy channel, introducing artificial errors into at least one of the first or second digital channels, carrying out an advantage distillation phase in such a way that a new first digital channel (X 1 ) is determined for the reader. A new second digital channel (Y 1 ) is determined for the marker such that the advantage is taken with respect to a possible passive attacker. In an information reconciliation phase, an error-correcting protocol is applied to the new first (X 2 ) and new second (Y 2 ) digital channel, and in carrying out a secrecy amplification phase, a hash function (G) is applied to the new first (X 2 *) and the new second (Y 2 *) digital channel.

The present invention relates to communication between a wireless readerand a wireless identification marker.

A wireless identification marker is understood to mean any wirelessentity comprising a component with reduced dimensions, comprising acircuit and transmission/reception means. The marker may, for example,be a Radio Frequency Identification (RFID) label, thetransmission/reception means of which comprise a radio antenna. It mayalso involve a contactless smart card. An infrared marker may also beenvisaged.

Wireless markers of this type are known and are capable of transmitting,at the request of a wireless identification reader, a unique identifiercomprising around one hundred bits over a distance of several meters.

Some of these markers, such as the RFID labels, for example, have lowcomputing capacities. This rules out the possibility of securing thetransmissions with a corresponding reader using conventionalarithmetically based solutions.

However, use of these markers can only be conceived and generalized ifit provides for sufficiently reliable security mechanisms.

To this end, it has been proposed to exploit the noise inherent in thecommunication channel between a marker and a corresponding reader toprovide confidentiality of exchanges in the presence of a passiveattacker, i.e. an attacker content to listen to exchanges withoutinteracting with the marker or reader.

However, even if the protocol proposed for this purpose has the merit ofbeing simple to implement, it is based on the hypothesis that the errorswith which the attacker is confronted when listening to the exchangesare independent from those introduced by the noisy communication channelbetween the marker and the reader.

In practice, this hypothesis is not always verified. In particular, theattacker may have sufficient listening capacities to determine the datareceived by the marker or the reader through correlation on the basis ofthe data which he receives.

An object of the present invention is to offer a more satisfactory levelof security between a wireless identification reader and a wirelessidentification marker.

The invention therefore proposes a method for communicating between awireless identification reader and a wireless identification marker viaa noisy channel, comprising:

/a/ the transmission of a first numeric string from the reader to themarker;

/b/ the reception, on the marker, of a second numeric stringcorresponding to the first numeric string, excepting errors introducedby the noisy channel;

/c/ the introduction of artificial errors into at least one of the firstand second numeric strings;

/d/ an advantage distillation phase in which a new first numeric stringis determined on the reader on the basis of the first numeric string,and a new second numeric string is determined on the marker on the basisof the second numeric string, in such a way as to take the advantagewith respect to a possible passive attacker;

/e/ an information reconciliation phase, wherein an error-correctionprotocol is applied to the new first and the new second numeric stringin such a way that, at the end of step /e/, the new first and the newsecond numeric string are identical with a predetermined probabilitylevel; and

/f/ a secrecy amplification phase, wherein a hash function is applied tothe new first and the new second numeric string.

The introduction of artificial errors into the first and/or the secondnumeric string, in addition to the natural errors linked to the noiseintroduced by the noisy communication channel, enables weakening orremoval of the possible correlation of the errors affecting the readeror the marker on the one hand, and the attacker listening to the noisychannel on the other hand. This therefore complicates the task of theattacker, who is no longer able to deduce the information received bythe marker from the information which he acquires.

Such an introduction of artificial errors, which may consist in themodification of certain, for example randomly chosen, numerical valuesof the first and/or the second numeric string, is moreover simple toimplement.

The steps of the method are advantageously implemented so that the newfirst and the new second numeric string are identical, with apredetermined probability level, preferably close to 100%. Thus, thehash function will produce an identical reduced value when it is appliedto the new first and to the new second numeric string.

Step /d/ may advantageously be repeated a number of times depending onthe noise estimated on the noisy channel.

The invention furthermore proposes a wireless identification readersuitable for communicating with a wireless identification marker via anoisy channel, comprising:

means for transmitting a first numeric string to the marker;

means for introducing artificial errors into the first numeric string;

means for determining a new first numeric string on the basis of thefirst numeric string, in such a way as to take the advantage withrespect to a possible passive attacker;

means for applying an error-correction protocol to the new first numericstring; and

means for applying a hash function to the new first numeric string.

The invention also proposes a wireless identification marker suitablefor communicating with a wireless identification reader via a noisychannel, comprising:

means for receiving a second numeric string corresponding to a firstnumeric string transmitted by the reader, excepting errors introduced bythe noisy channel;

means for introducing artificial errors into the second numeric string;

means for determining a new second numeric string on the basis of thesecond numeric string, in such a way as to take the advantage withrespect to a possible passive attacker;

means for applying an error-correction protocol to the new secondnumeric string; and

means for applying a hash function to the new second numeric string.

Other characteristics and advantages of the present invention will beset out in the following description of non-limiting exemplaryembodiments, with reference to the attached drawings, in which:

FIG. 1 is a diagram showing in a simplified manner a system in which theinvention can be implemented;

FIGS. 2-5 show simplified numeric strings implemented in an exemplaryembodiment of the invention;

FIG. 6 is a diagram showing in a simplified manner a hash operationimplemented in an exemplary embodiment of the invention.

FIG. 1 shows an RFID reader 1 suitable for communicating with an RFIDlabel 2. It will be noted that any other type of wireless marker (smartcard, infrared marker, etc.) which has capacities to communicate with acorresponding reader could also be used within the scope of theinvention.

The reader 1 and the label 2 are suitable for exchanging numericstrings, i.e. sequences of numerical, for example binary, values via aradio communication channel 3. The channel 3 is generally noisy, i.e. itintroduces errors into each transmission. Thus, if the reader 1transmits a numeric string on the channel 3, the label 2 receives anumeric string which differs more or less from the transmitted numericstring according to the noise level introduced by the channel 3.

It is furthermore supposed that a passive attacker 4 tries to acquirethe data exchanged between the reader 1 and the label 2. To do this, theattacker 4 listens to the channel 3 and may carry out any type ofoperation on the acquired data in order to thwart the securityimplemented between the reader 1 and the label. By way of example, theattacker 4 my implement the same operations as the reader 1 or the label2.

In the example described below, an attempt is made to obtaininformation, or a “key”, from the label 2 without the attacker 4 beingable to acquire it himself. This key may the be used to implementsecurity mechanisms between the reader 1 and the label 2.

FIG. 2 shows an example of a numeric string X₀ transmitted by the reader1 to the label 2 via the noisy channel 3. It will be noted that thechosen example of a numeric string comprises a reduced number of bits,i.e. binary elements, to facilitate the understanding of the operationsimplemented. In reality, the numeric strings transmitted by the readermay be in the order of ten thousand bits, for example.

Due to the noise present on the channel 3, the label 2 receives anumeric string Y₀, of which certain bits differ from the correspondingbits of X₀. These differences 5 are shown in FIG. 2. They are four innumber.

It is then chosen to consider the numeric string Y₀ as the referencestring, i.e. Y₀ is considered, by convention, to comprise no errors.Conversely, the differences between bits of other numeric strings andthe corresponding bits of Y₀ are considered as errors. This is, ofcourse, hypothetical. Other choices of reference strings are equallypossible, such as X₀, for example.

The attacker 4 who listens to the noisy channel 3 in turn receives anumeric string Z₀ which differs from X₀ by dint of the noise introducedby the channel 3. Z₀ also differs from Y₀, particularly because theattacker may be present at a location slightly different from the label2 and because the characteristics of the channel 3 may vary in time andspace. The errors contained in Z₀ may be independent or relativelyweakly correlated with those contained in Y₀.

Thus, it will be noted in the example shown in FIG. 2 that Z₀ presentsfive differences compared with Y₀. Four of these differences(differences 6) are the same as the differences 5 between X₀ and thereference string Y₀, whereas the fifth (difference 7) is an errorintroduced by the channel 3 between the reader 1 and the attacker 4.

According to the invention, the reader 1 calculates a new numeric stringX′₀, as a replacement for X₀, by modifying certain bits of X₀. Thismodification thus consists in introducing artificial errors, for examplein a random manner, into X₀. These artificial errors do not depend onthe noisy channel 3. They are superadded to the “natural” errorsintroduced by the noisy channel 4. The combination of the natural andartificial errors between the reader 1 and the label 2 thus prevents theattacker 4, even if he possesses sufficient listening capacities, fromdiscovering any correlation between these errors and the errors to whichhe himself is subjected when listening to the noisy channel 3. In fact,even if the natural errors introduced by the channel 3 to the label 2and to the attacker 4 are correlated, the additional introduction ofartificial errors by the reader 1 weakens or even removes thiscorrelation.

As a variant, the artificial errors may be introduced by the label 2into the numeric string Y₀. They may also be introduced simultaneouslyinto the two numeric strings X₀ and Y₀ by the reader 1 and the label 2respectively.

In the example shown in FIG. 3, three artificial errors have beenintroduced by the reader 1 into the numeric string X₀ by transformingvalues “1” into “0” and vice versa. As a result, the modified string X′₀comprises three differences compared with X₀ (differences 8).

The other operations described below are known.

An advantage distillation phase is first carried out in which theprobability is increased that the attacker 4 has a numeric string with agreater number of differences compared with X′₀ than the numeric stringobtained in the label 2. In other words, this phase enables the reader1-label 2 pair to take the advantage with respect to the passiveattacker. An example of operations implemented in an advantagedistillation phase of this type has been disclosed by Martin Gander andUeli Maurer in the article entitled “On the secret-key rate of binaryrandom variables, Proc. 1994 IEEE International Symposium on InformationTheory (Abstracts), 1994”, p. 351. Other operations can of course beimplemented provided that they enable the advantage to be taken withrespect to the passive attacker.

In one example of an advantage distillation phase of this type, thenumeric strings X′₀ and Y₀ are divided up into groups of N numericalvalues, where N is an integer. In the example shown in FIG. 3, the bitsof X′₀ and Y₀ are grouped in pairs (N=2). Then, for each pair thusidentified, an “exclusive OR” (XOR) is applied in order to obtain a “1”if the bits of the pair concerned are different and a “0” if they areidentical.

The results of the exclusive OR are then compared over correspondinggroups (i.e. of the same ranking) of X′₀ and Y₀. To do this, both thereader 1 and the label 2 transmit on the channel 3 the results of theexclusive OR which they have carried out.

New numeric strings X₁ and Y₁ are then determined, retaining the firstnumerical values of each group of X′₀ and Y₀ respectively for which theresult of the exclusive OR is the same as for the corresponding group ofthe other numeric string (Y₀ or X′₀). The other groups are ignored andare not taken into account in the make-up of the numeric strings X₁ andY₁.

The example shown in FIG. 3 reveals five differences between bits of theexclusive OR carried out on X′₀ and Y₀ respectively. Some of thesedifferences are caused by natural errors introduced by the channel 3(differences 9). Other differences are explained by the introduction ofartificial errors into the initial string X₀ (differences 10). It willbe noted that the exclusive OR carried out on the penultimate pair(reference 11 in FIG. 3) has the same result, i.e. a “1”, for X′₀ and Y₀due to the fact that both of the bits of the pair in question of X₀ havebeen modified by the noisy channel 3 before being received in the label2.

The numeric strings X₁ and Y₁ resulting from this advantage distillationphase are shown in FIG. 4. Y₁ then becomes the new reference. It will benoted that X₁ and Y₁ reveal a single difference between themselves(difference 12), compared with four differences between X₀ and Y₀. Itwill thus be understood that the advantage distillation may cause arapid decrease in the number of differences between the numeric stringsof the reader 1 and the label 2.

If the attacker 4 decides to act in the same way as the reader 1 and thelabel 2, he can then pick up the results of the exclusive OR exchangedbetween the latter and from these can deduce a string Z₁ according tothe same principles. Z₁ then comprises the first bit of each pair of Z₀which has the same ranking as two corresponding pairs of X′₀ and Y₀ forwhich the same result of the exclusive OR was obtained. As shown in FIG.4, the numeric string Z₁ obtained in the example comprises twodifferences compared with Y₁ and still one difference compared with X₁.

The advantage distillation phase may be repeated a number n of times,where n is an integer, until the numeric string X_(n) has an error ratein relation to Y_(n) which is below a chosen threshold. For example, thenumber n may be chosen according to the estimated noise on thecommunication channel 3.

In the example shown in the figures, identical numeric strings of thereader 1 and the label 2 are obtained as from the second pass of theadvantage distillation phase. In fact, as shown in FIG. 5, the stringsX₂ and Y₂ are identical.

Conversely, the string Z₂ obtained in the second pass by an attacker 4who implements the same operations as the reader 1 and the label 2remains different from the reference string Y₂.

It can be shown that, regardless of the noise present on the noisychannel 3 and regardless of the technique used by the attacker 4 to tryto discover the numeric strings obtained by the reader 1 and/or thelabel 2, this attacker will still obtain an incorrect numeric string,i.e. different from those of the reader 1 and the label 2.

An information reconciliation phase is then implemented. It consists inonce more eliminating residual errors in the numeric string of thereader 1 (or of the label 2 if the reference is the string of thereader) in cases where the advantage distillation has not alreadyremoved all errors.

An error-correction protocol is used in this information reconciliationphase. This protocol should preferably be chosen in order to minimizethe information which is to be transmitted on the channel 3 and whichcould represent relevant information which can be exploited by theattacker 4.

An example of a protocol is the “Cascade” protocol described by G.Brassard and L. Salvail in the article entitled “Secret-keyreconciliation by public discussion, EUROCRYPT '93: Workshop on thetheory and application of cryptographic techniques on Advances incryptology, Springer-Verlag New York, Inc., 1994, pp. 410-423”.

With the Cascade protocol, the two parties involved in the communicationagree randomly and publicly to a permutation which they respectivelyapply to the numeric strings which they have obtained at the end of theadvantage distillation. The result of these permutations is then splitup into blocks with a determined adaptive size. A DICHOT primitive iscarried out on each block obtained in this way. If the parity of thecorresponding blocks for the two parties is identical, the calculatedprimitive returns the position of a difference within these blocks. Oneof the parties then corrects this error. Additional “bactracking” stepsare also provided in order to ensure that the set referencing all of theblocks whose parity has been modified following the correction of anerror are finally empty.

A known, Cascade-based protocol, but in which (i) the permutationimplemented is pre-wired and non-random, (ii) the size of the blocks isfixed and non-adaptive, and (iii) the backtracking is not implemented,is preferably applied to the reader 1 and the label 2. Theimplementation of a simplified protocol of this type has the advantageof being less expensive than for Cascade, particularly in terms ofcomputing capacity and memory size. In practice, most of the errors arecorrected as from the first pass, so that the performance of thissimplified protocol is satisfactory.

At the end of the information reconciliation phase, the reader 1 and thelabel 2 have the same numeric string with a predetermined probabilitylevel. In the example described with reference to the figures, X₂* andY₂* denote the identical numeric strings thus obtained by the reader 1and the label 2 respectively, i.e. the strings X₂ and Y₂ aftercorrection. The attacker 4 in turn has a numeric string Z₂* whichdiffers from X₂* and Y₂*, thanks in particular to the initialintroduction of artificial errors into X₀ and equally thanks to theproperties of the advantage distillation and information reconciliationphases.

A third so-called secrecy amplification phase is then implemented. Theobject of a phase of this type was disclosed by Charles H. Bennett,Gilles Brassard, Claude Crépeau and Ueli M. Maurer in the articleentitled “Generalized privacy amplification, IEEE Transaction onInformation Theory (1995)”. It consists in applying a hash function tothe numeric strings obtained by the reader 1 and the label 2 at the endof the preceding phase, i.e. to X₂* and Y₂* in our example.

A hash function is a compression function enabling information to beobtained which is shorter than initial information to which it isapplied. It furthermore has the property of delivering very differentresults on the basis of initial information elements which differ evenslightly, i.e. they emphasize the differences between differentinformation elements in such a way as to prevent anyone from simplyobtaining initial information on the basis of the result of the hashing.

An example of a hash function which can be used is the hash functiondisclosed by Kaan Yüksel in the document entitled “Universal hashing forultra-low-power cryptographic hardware applications, Master's thesis,Worcester Polytechnic Institute, 2004”. The advantage of this functionis that it requires very few computing resources, which is in accordancewith the constraints of the RFID labels.

FIG. 6 shows the application of the hash function G to X₂* and Y₂*.Since X₂*=Y₂*, this therefore gives G(X₂*)=G(Y₂*). Thus, the reader 1and the label 2 finally have the same numeric string with a limitedsize. In a real case, G(X₂*) and G(Y₂*) are, for example, numericstrings comprising the order of around one hundred bits.

Conversely, the attacker 4 has a string Z₂* which differs from X₂* andY₂*. Even if this attacker knows the hash function used by the reader 1and the label 2 and tries to calculate G(Z₂*), he will thus obtain anumeric string different from G(X₂*) and G(Y₂*).

The numeric string G(X₂*)=G(Y₂*) common to the reader 1 and the label 2can subsequently be used to secure the exchanges on the channel 3. Forexample, this string may be used as a secret key to enableauthentication of the reader 1 or the label 2, or to encrypt the datatransmitted on the noisy channel 3 for example. Other applications canequally be envisaged on the basis of the determination of this secretkey.

1. A method for communicating between a wireless identification readerand a wireless identification marker via a noisy channel, comprising:/a/ the transmission of a first numeric string from the reader to themarker; /b/ the reception, on the marker, of a second numeric stringcorresponding to the first numeric string, excepting errors introducedby the noisy channel; /c/ the introduction of artificial errors into atleast one of the first and second numeric strings; /d/ an advantagedistillation phase in which a new first numeric string is determined onthe reader on the basis of the first numeric string, and a new secondnumeric string is determined on the marker on the basis of the secondnumeric string, in such a way as to take the advantage with respect to apossible passive attacker; /e/ an information reconciliation phase,wherein an error-correction protocol is applied to the new first and thenew second numeric string in such a way that, at the end of step /e/,the new first and the new second numeric string are identical with apredetermined probability level; and /f/ a secrecy amplification phase,wherein a hash function is applied to the new first and the new secondnumeric string.
 2. The method as claimed in claim 1, in which theadvantage distillation phase comprises the following steps: the firstand second numeric string are divided up into groups of N successivenumerical values, where N is an integer; an exclusive OR is carried outon each of said groups; the results of the exclusive OR are exchangedbetween the reader and the marker; the new first numeric string isdetermined on the reader on the basis of the first numerical value ofeach group of the first numeric string for which the result of theexclusive OR is identical to the result of the exclusive OR carried outon the corresponding group of the second numeric string; and the newsecond numeric string is determined on the marker on the basis of thefirst numerical value of each group of the second numeric string forwhich the result of the exclusive OR is identical to the result of theexclusive OR carried out on the corresponding group of the first numericstring.
 3. The method as claimed in claim 1, in which the introductionof artificial errors in step /c/ comprises a random modification ofnumerical values of at least one of the first and the second numericstring.
 4. The method as claimed in claim 1, in which step /d/ isrepeated a number of times depending on the estimated noise of the noisychannel.
 5. The method as claimed in claim 1, in which theerror-correction protocol is chosen in such a way as to allow a minimumof information to be leaked to a possible passive attacker.
 6. Awireless identification reader suitable for communicating with awireless identification marker via a noisy channel, comprising: meansfor transmitting a first numeric string to the marker; means forintroducing artificial errors into the first numeric string; means fordetermining a new first numeric string on the basis of the first numericstring, in such a way as to take the advantage with respect to apossible passive attacker; means for applying an error-correctionprotocol to the new first numeric string; and means for applying a hashfunction to the new first numeric string.
 7. A wireless identificationmarker suitable for communicating with a wireless identification readervia a noisy channel, comprising: means for receiving a second numericstring corresponding to a first numeric string transmitted by thereader, excepting errors introduced by the noisy channel; means forintroducing artificial errors into the second numeric string; means fordetermining a new second numeric string on the basis of the secondnumeric string, in such a way as to take the advantage with respect to apossible passive attacker; means for applying an error-correctionprotocol to the new second numeric string; and means for applying a hashfunction to the new second numeric string.